Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jun 2015 11:34:36 +0300
From:      Pavel Timofeev <timp87@gmail.com>
To:        freebsd-stable stable <freebsd-stable@freebsd.org>, Gregory Shapiro <gshapiro@freebsd.org>
Subject:   Last openssl update brakes localhost email sending
Message-ID:  <CAAoTqft7wRi9Ov_oiCk64HwbT%2BrXn-AvkOd-%2BVeFhq_s8bE7NA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Good day to everybody! ;)
My FreeBSD 10.1-RELEASE-p13 amd64 can't send email to localhost anymore!

I know that openssl has been updated, and it raises the bar of bit
size of dh parameters.
I know, there is an update for sendmail to catch up it. But. it didn't help.

Here is one of my servers.
I did not touch anything in /etc/mail after installation of my system.
And of course I didn't create a dh parameters in /etc/mail/certs dir.

root@pyxis-v:~ # freebsd-version
10.1-RELEASE-p13

root@pyxis-v:~ # echo test | mail -s 'aa' ptimofeev@ocs.ru

root@pyxis-v:~ # tail -f /var/log/maillog
Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122: from=timp,
size=39, class=0, nrcpts=1,
msgid=<201506180819.t5I8J0F1001122@pyxis-v.ocs.ru>,
relay=root@localhost
Jun 18 11:19:00 pyxis-v sendmail[1122]: STARTTLS=client, error:
connect failed=-1, reason=dh key too small, SSL_error=1, errno=0,
retry=-1
Jun 18 11:19:00 pyxis-v sm-mta[1123]: STARTTLS=server, error: accept
failed=0, reason=sslv3 alert handshake failure, SSL_error=1, errno=0,
retry=-1, relay=localhost [127.0.0.1]
Jun 18 11:19:00 pyxis-v sendmail[1122]: ruleset=tls_server,
arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
Jun 18 11:19:00 pyxis-v sendmail[1122]: t5I8J0F1001122:
to=ptimofeev@ocs.ru, ctladdr=timp (1001/1001), delay=00:00:00,
xdelay=00:00:00, mailer=relay, pri=30039, relay=[127.0.0.1]
[127.0.0.1], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake.
Jun 18 11:19:00 pyxis-v sm-mta[1123]: t5I8J0p5001123: localhost
[127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to
Daemon0


Why it complains about too small dh key?! I don't have them. No
changes in /etc/mail since installation. What's going on?

So looks like everybody who updated their systems to p-1(2|3) has to
do some stuff (openssl dhparam -out dh.param 2048).
IMO, it's really, really bad.
Am I wrong, misunderstanding or doing something wrong?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAoTqft7wRi9Ov_oiCk64HwbT%2BrXn-AvkOd-%2BVeFhq_s8bE7NA>